Cisco VPN :: SIP Traffic Through ASA 5520 (Teardown UDP Connection)

Nov 22, 2008

I have a VPN tunnel between my ASA 5520 and another device.The tunnel is up and there are no problems in that. I have a SIP device behind my ASA and anther one behind the other device (no specific details about the other side since it is with a client).I have allowed the (ICMP & IP) traffic to pass through the tunnel, and I successfully can ping from my SIP the client's SIP through the tunnel.When I try to make a SIP call over the tunnel it fails.After troubleshooting I found the bellow results:
 
1-     the traffic never go through the tunnel (the number of packets are not increased when I try to make a call although it in increased when I ping the other side)

2-     When I made a test using the ASDM (Packet tracer) the result is successful (the traffic is NATed and allowed (passed the access list) and goes through the VPN tunnel).

3-     the below result are the output of the logging of my ASA:
 
6|Nov 23 2008|11:00:24|305011|10.43.11.86|39421|62.Y.98.30|10932|Built dynamic UDP translation from Voice:10.43.11.86/39421 to outside(Voice_nat_outbound):62.Y.98.30/10932
 6|Nov 23 2008|11:00:24|302015|63.x.0.102|5060|10.43.11.86|39421|Built outbound UDP connection 476764 for outside:63.x.0.102/5060 (63.x.0.102/5060) to Voice:10.43.11.86/39421 (62.Y.98.30/10932) 
6|Nov 23 2008|11:00:24|305011|10.43.11.86|5060|62.Y.98.30|43072|Built dynamic UDP translation from Voice:10.43.11.86/5060 to outside(Voice_nat_outbound):62.Y.98.30/43072

[code].....

View 5 Replies


ADVERTISEMENT

Cisco Firewall :: ASA 5520 Inbound Traffic On Backup ISP Connection

Nov 3, 2011

I have a client that has an ASA 5520 that has two internet connections, FIOS and Comcast.  The ASA is configured to failover from the FIOS to the Comcast if the FIOS fails.  This works perfectly fine.  However, I was wondering if VPN and other inbound traffic will come into the secondary connection when it is active.  I think VPN will work inbound when the FIOS connection fails, but I am not sure about the other inbound connections. 

View 1 Replies View Related

Cisco Firewall :: ASA 5520 - Allow Traffic From DMZ To Internet And Block Traffic?

Apr 29, 2012

I have an ASA 5520 with the below config
 
Gi0/0: outside (Internet)
Gi0/1: inside (Internal users)
Gi0/2: DMZ (web servers, ftp, Mail etc..)
 
I have a SMTP relay deployed on the DMZ for mailing. I have also a mail servers installed in the internal lan,
 
I want to allow trafic from dmz to reach internal lan, and i want normally also allow stmp relay from dmz to reach Internet.
 
How can i block trafic from DMZ to reach Internal Lan (instead of smtp) if the to allow trafic from dmz to internet i must put ANY in the policy?
 
For allowing trafic from DMZ to reach Internet, the policy must be DMZ -----> ANY ----->Services., this policy means DMZ can implicity reach Internal Lan?

View 2 Replies View Related

Cisco Firewall :: Teardown TCP Connections With Kaseya Server (ASA 5510)

Sep 12, 2011

normaly the agents has a persistent connection with the kaseya server (monitoring server),The connection  re-established afther the next check-in of the agent, instead of a persistent connection. Now we need to wait to the next check-in before we can connect to the agent. This is a big performance issue, the check-in time of the agents are 3 minutes.I see a lot of the following messages in de syslog:
 
6Sep 12 201120:27:48302013customer site527985721Built inbound TCP connection 5418112 for outside:(customer site)/52798 (customer site/52798) to inside:kaseya server/5721 (outsideIP/5721) 
6Sep 12 201120:29:09302014customer site527985721Teardown TCP connection 5418112 for outside:(customer site)/52798 to inside:kaseya server/5721 duration 0:01:21 bytes 45 TCP FINs 
  
I create a normal static nat rule from the kaseya server to a public ip address, and i define the protocols in de secutiry policy.ICMP has been allowed.cisco asa details:System image file is "disk0:/asa824-k8.bin" This platform has an ASA 5510 Security Plus license.It's look like a connection time-out between the agents and our cisco asa.

View 8 Replies View Related

Cisco Firewall :: ASA 5520 VPN Tunnel Up But Not Traffic

Nov 1, 2012

We just migrated from a single 5510 to a dual (failover)  5520, It seems that everything is working except the remote VPN. We can establish a tunnel and authenticate as local users, (going to LDAP when all is working) but no traffic is passing. I know I am overlooking something but cant see it. [code]

View 12 Replies View Related

Cisco Firewall :: 5520 VPN Traffic Between Interfaces

Jun 12, 2011

Our ASA 5520 firewall is running 8.0(4) IOS.I have an internal L2L VPN terminating on my firewall (from an internal remote site) on ENG interface.With the default "sysopt connection permit-vpn" command enabled, VPN traffic is allowed to bypass the ENG interface acl.The security level on the ENG interface is set at 50.The security level on the destination interface PRODUCTION is set at 40.Inbound VPN traffic bypasses ENG interface acl and since higher-to-lower security level allows VPN traffic to flow freely from ENG to PRODUCTION, it seems the only place to check/filter VPN traffic is an ACL placed on the PRODCTTION interface and set at INBOUND (outbound VPN traffic).

View 4 Replies View Related

Cisco Firewall :: Traffic Prioritization On ASA 5520?

Dec 1, 2011

I have a Cisco ASA 5520 (8.0) and I'm trying to figure out how to prioritize traffic to specific websites (by either domain names or IP addresses/ranges).  This document [URL] has some great examples, but I'm not able to create a class-map that will match addresses.  I'm not doing any other traffic manipulation on this ASA. 

View 1 Replies View Related

Cisco WAN :: Configure Traffic Between 2 Networks In ASA 5520?

Apr 16, 2013

I have a firewall ASA 5520. In this time I have connected 3 networks (192.168.1.0 INSIDE, 192.168.2.0 INSIDE2, 10.0.1.0 OUTSIDE). I follow the article [URL] to configure my firewall, but the ASA no permit  traffic (ip, udp, icmp, etc) between the networks.
The configuration that i have is:
 
ASA Version 8.2(1)
!
hostname Firewall
domain-name xxxxxx.com

[Code].....

View 1 Replies View Related

Cisco Firewall :: ASA 5520 - Allow Traffic Between DMZ Servers?

Dec 20, 2011

We can´t reach DMZ servers from other DMZ servers?If I make a ping from DMZ server to another, sometimes only recieve one ping, sometimes 4, sometimes 0.How can I allow the traffic between DMZ servers??
 
(ASA 5520 Version 8.4)

View 2 Replies View Related

Cisco VPN :: 5520 - Tunnel Up But Not Passing Traffic

Jan 15, 2012

I have a site to site tunnel between two 5520 ASAs.  Tunnel is up but when I try to talk to the other side, the implicit deny on the inside interface of the local ASA blocks the traffic.  When I ping, the tunnel comes up but in the logs it says it is blocking icmp from inside to outside.  I have tried the sys opt connection permit-vpn but it is not working.  The traffic is from 5 specific machines within the local sub net that I put in a network object group called Celerra_Replication.

I want to them to be able to talk to 5 machines on the far end of the tunnel in a seperate sub net.  They are in a net wrok object group called GP_Celerra_Replication The ACLs I created for this appear to be created correctly allowing IP from Celerra_replication to GP_Celerra_Replication and the opposite on the other side. 

View 1 Replies View Related

Cisco Firewall :: 5520 - Traffic From Inside To Outside

Mar 2, 2011

I am setting up a pair of 5520 in A/S mode but the traffic from inside to outside seems blocked somehow.

asa01# sh run : Saved
ASA Version 8.3(1)
host name asa01
enable password LFJ8dTG1HExu/pWQ encrypted
password 2KFQnbNIdI.2KYOU encrypted
names
[code]......

Base on the above configuration, I still cannot ping or HTTP.

View 10 Replies View Related

Cisco VPN :: ASA 5520 - Monitor / Trace VPN To VPN Tunnel Traffic?

Sep 7, 2011

I have a two ASA 5520's  and I want to be able to see or monitor the traffic between each tunnel. I am using external addresses but for the sake of this question I will use the following: 1.1.1.1  to 2.2.2.2 .   How can I montior the traffic? 

View 3 Replies View Related

Cisco VPN :: Crypto ACL Asa 5520 Direct All Traffic To Go Over Vpn Tunnel

Feb 14, 2013

we have a L2L-VPN-Tunnel beetween our Headquarter (ASA5520 with Network 10.100.1.0) and a branch office (Cisco1841 with network 10.100.10.0 ). This works fine for years, but now we wish to change the configuration so that ALL traffic from the branch office goes over the vpn-tunnel. My question: How I have to change the crypto acl to reach this. Below the relevant parts of the branch route.

View 6 Replies View Related

Cisco Firewall :: ASA 5520 8.3 VPN Tunnel Drops Traffic

Aug 23, 2011

We have a 100 Mbps WAN circuit, we have configured an IPsec tunnel between ASA 5520 and Cisco 3845 Router for our DR site replication via Veeam Backup and Replication, it was working fine before, when we established the 3DES tunnel the traffic for certain subnets is dropped after an hour and it stops the replication, although tunnel remains up and we can access the other subnets, as soon as we clear the crypto SA and ISAKMP sessions on the firewall the traffic starts flowing again and then after an hour the traffic is dropped again.So far the testing and differnet configurations we tried are as under.
 
Tried with a different MTU size both on firewall and ESXi servers but nothing happened.Their is no QOS configuration.Checked the utilization on both ends its Noram although their are subsequent 100% spikes on Cisco 3845 but on average it remians at 30-40%.

View 6 Replies View Related

Cisco Firewall :: ASA 5520 Cannot Block Incoming Traffic

Dec 12, 2012

I was configure 3 interface on ASA1st - managemetn (only for management)2nd - gig0/0 is connected to internet with real IP3rd - gig0/1 is connected to local networkI was configure routed NAT to internet.But I have problem with restriction incomming traffic to inside interface (ifname is inside)but I can connect to ip address of inside interface from other ip. It is wrong and i can't understand where is my mistake.

View 2 Replies View Related

Cisco VPN :: ASA 5520 IPSec Overlap - How To Route Traffic

Nov 13, 2011

We have multiple vpn tunnels coming to our cisco asa 5520 , the problem is that when we create another tunnel with the same network as another network on the firewall , it does not know how to route the traffic to which interface or sub interface.

View 2 Replies View Related

Cisco VPN :: 5520 - How Much Traffic Pass Through Into IPSec In ASA Firewall

Mar 20, 2013

How can I see the quantity of traffic that is passing through into an IPSec VPN in a ASA 5520.

View 3 Replies View Related

Cisco Firewall :: 5520 Can't Get Traffic From Inside To Internet

Nov 27, 2011

I am trying to make a basic config on my 5520. The first goal is to make trafic from inside to outside.The internet address is 64.28.29.200 and the default internet gw is 64.28.20.193What am I missing since I can not get trafic from inside to the internet? [code]

View 10 Replies View Related

Cisco Firewall :: Enabling Outbound Traffic Through ASA 5520 8.4(4)1

Apr 4, 2013

We've got a proyect that requires a few thin clients to connect to a remote PCoIP server.
 
Looking to the documentation, the only port required to be open through Firewalls is TCP/UDP 4172, however, we've seen (making interface captures) that it somehow also uses ESP (IP protocol 50).
 
We've got a static NAT translation translating those thin clients to a public IP address, we've created ACLs to allow inbound (shouldn't be necessary as our user is connecting to a remote server) and outbound traffic for TCP/UDP 4172 and ESP and I cannot make it work.
 
I've also enabled IPSec pass-through Inspection to no avail.
 
how should we configure our ASA to enable this kind of traffic?

View 4 Replies View Related

Cisco Firewall :: ASA 5520 - Allow All Traffic From Frame Relay

Jun 14, 2012

I am installing an ASA 5520 and I have a problem on accepring the incoming traffic from an external office connected via Frame Relay.
 
On my OUTSIDE interface I have both the internet traffic and the external office traffic incoming. What comes from the external office is visible as 10.1.0.0/16.
 
I have to allow this traffic to enter the internal network, without any control. I would also keep the original IP address.
 
I have configured the Firewall but I don't know how to setup the NAT.

View 2 Replies View Related

Cisco Firewall :: ASA 5520 8.2(1) - Botnet Traffic Filter?

Jun 28, 2011

When I try to configure the Botnet Traffic filter with the commad "dynamic-filter use database" through the ASDM I get the following error message.
 
[ERROR] dynamic-filter use-database  Dynamic Filter: New data file not terminated with newline

View 14 Replies View Related

Cisco VPN :: ASA 5520 - Traffic Not Routing Between Remotes Using EzVPN With NEM

Jun 27, 2012

I have ezVPN configured on an ASA 5520 for my server with 5505s as my clients at several remote sites.  The tunnels come up no problem and I can hit everything I need to on both sides of the tunnel, but I'm not able to get to another remote network from a remote network.  The traffic goes out the tunnel on the 5505 but on the 5520 all I see is a bunch of scrolling tear down messages. 

[code]....

View 2 Replies View Related

Cisco VPN :: 5520 - Traffic Enters One Interface And Forwards To Another

Apr 19, 2013

I am building a new VPN Anyconnect solution. I want the traffic to enter a interface and that traffic should be forwarded to my "VPN-Machine".
 
The system is a ASA5520 with old software, I am not at work now so i cannot tell exactly.
 
So my question is, how do i make the traffic enter one interface and being forwarded to another? I have splitted the physical interface to several sub-interfaces.

View 5 Replies View Related

Cisco WAN :: ASA 5520 - Routing Based On What Interface Traffic Comes

Mar 26, 2012

We have an ASA that has 3 IPSEC VPN tunnels and standard interenet trafic coming in on Int E0/0 that I need to have go out Int E0/1. E0/1 is directly connected to a Steelhead Riverbed 2020. The Traffic will need to come back out of the Steelhead Riverbed 2020 and into the ASA to Int E0/2. From here it needs to go out either Int E0/3 which is connected to a Catalyst 3560 Switch or back out Int E0/0 though one of the VPN tunnels. I attached a PDF with a diagram if that works.
 
The reason we are doing this is we have Riverbed's at all our locations and they need to talk to each other to optimize traffic. Is this routing possible any other way than PBR (Policy Based Routing)? I am of the understanding that PBR is not supported on the ASA or PIX.

View 0 Replies View Related

Cisco :: ASA 5520 - Don't Allow Guest Traffic Access Internal Network

Feb 28, 2013

I have created a new sub-interface on our ASA 5520 for guest internet access.

My goal is to allow access to a few specific services hanging off some dmz interfaces on the same firewall and full unrestricted access to the internet only. Everything else should be out of bounds.

The order of the rules I plan to setup on the guest interface inbound are:

#1. <rules to allow access to specific services in the dmz>

#2. <block any ip access to the entire private network ip address space>

#3. <permit ip any any>

#1. These rules will give access to the guest user to services located in the dmz

#2. This rule will block all access to any services in the private ip address space (thus blocking access to all internal services)

#3. This rule is to allow access to any other services i.e. the internet.

Is this the best way to achieve my goal in the most secure way or is there a better way? i.e. is there a way to force the traffic by default to only go out the outside interface unless there is a specific rule allowing it go elsewhere?

(Of course Dynamic PAT will also be configured for traffic coming from the guest interface to the outside interface.)

View 2 Replies View Related

Cisco Firewall :: 5520 To Pass Traffic Through Ssm 20 And To Create Sensors

Jun 20, 2011

I have installed asa 5520 , software ver is 8.4,I have SSM-20 installed in asa 5520. How to pass traffic through this ssm-20 ,how to create sensors,how to update signatures of this IPS module ,is there any procedure to automatically update the signatures .

View 1 Replies View Related

Cisco Firewall :: ASA 5520 - Permit Traffic To Inside Via MAC - Address?

Apr 6, 2011

I have a handheld device that will be used for inventory outside of our office. It has 3g capabilities. Is there anyway I can permit traffic from this device from the outside world coming into my network?  I need to open a couple of ports so it can hit the server. But I have no intention to open these ports up to the entire world.  I use an ASA 5520 with a managed router from our provider. I looked around on the Cisco site and the only information I found was for permitting and denying traffic from devices that are within the network.

View 2 Replies View Related

Cisco Firewall :: Command To Check ASA 5520 Is Passing Traffic

May 14, 2012

how can i check that ASA is passing traffic? Also what command we can use to make sure VPN is working fine.

View 2 Replies View Related

Cisco Firewall :: ASA 5520 - Traffic From DMZ And WAN Forwarded To Object Production

Sep 26, 2011

i have an ASA 5520 8.4(1) with following config
 
interface GigabitEthernet0/0
nameif WAN
security-level 0
ip address 216.52.185.33 255.255.255.240 standby 216.52.185.34
!

i need traffic (port 9350) from DMZ and WAN forwarded to object Production_23 port 3389, how do i achieve this ?

View 1 Replies View Related

Cisco VPN :: ASA 5520 - Send PIX501 Traffic Out To Proxy Server?

Mar 17, 2011

I currently have 90 remote locations that have PIX501's. They are all running 6.3 on them.  All of these locations are creating an IPSEC VPN to my ASA 5520 (8.4) at the data center.  Web access at the remote locations is currently being handled with ACL thru split tunnels. This is getting increasingly not fun as I have to reach out and touch them one at a time whenever I have to allow more access to the net. Code...

I would like to keep my split tunnel (if possible) for ports 443 and 21.  I allow access to "any" on those ports and have no plans to change it.

Can I send port 80 down the VPN tunnel to the Proxy/Web Filter and then return the results to the Remote Client.

View 4 Replies View Related

Cisco VPN :: ASA 5520 / VPN Phase 2 Complete But LAN Traffic Doesn't Pass

Aug 6, 2011

Just setup a site to site vpn between 2 ASA 5520 Firewalls in two locations but vpn doesn't work even though i see phase 2 completed on the logs. I can't ping across the LANs.

View 2 Replies View Related

Cisco Firewall :: Traffic Shaping Per Users / Ip / Application Using ASA 5520

Apr 5, 2011

I hava Cisco ASA 5520 with AIP-SSM module. I would like to have the below features with ASA installed in Transparent mode.
 
1. Traffic shapping per user
 
2.  Traffic shapping per IP subnet
 
3.  Traffic shapping per Application
 
Is it possible with ASA installed in Transparent mode?

View 9 Replies View Related

Cisco Firewall :: Force ASA 5520 Traffic Out Specific Interface

Jun 1, 2011

I'm trying to route all default traffic from my production environment through my ASA 5520 on the "outside2" interface.The 5520 has a site to site VPN to our DR site on the "outside/inside" interfaces via one ISP. On another ISP, interfaces "outside2/inside2" go to the internet.
When I make my 3750 stack default route for the inside2 interface IP I cannot get to the internet. When it is pointed to the inside interface on my 5505, I can.
 
I get the following errors when I try to open google.com from a production server:Why is the 5520 trying to use the "outside" interface instead of the "outside2" interface to go out?

View 6 Replies View Related







Copyrights 2005-15 www.BigResource.com, All rights reserved